Attribution of Cyber Attack

I’m not an expert in attribution neither in cyber war but in the light of the recent Sony hack and its “attribution” to North Korea, I did a little of research. The below article is a summary of what I found and a few thoughts as well.

The “Laws of War”or the importance of attribution

Attribution of attacks has always been a key element of war. In order for a state to be able to use self-defence measures, it has to attribute an attack directly and conclusively to another state or agent(s) under that state’s direct control. There are many examples where attackers used different technic to pretend to be someone else or mis-lead the attacked state to believe something. In this context, most of the attribution is done using HUMINT – Human Intelligence which make it (slightly) more reliable.

Cyber attacks are no exceptions. However it is much more complicated to do a direct and conclusive attribution following a cyber attack.
The internet has not been designed with “attribution” as its core concept. There are many way to hide your identity, location, to change your behaviours so they match someone else, use (or pretend to use) someone else infrastructure, etc. All those elements make it very difficult to perform attribution in the cyber space.

The problem of attribution of cyber attacks is essentially the problem of deception vs intelligence. Attackers control all the information.

It is also important to note that the parameters used to do attribution are all…in the hands of the attacker! The attacker can “decide” to make attribution easier…or not. This mainly depend on the skills, resources and time available to the attacker. Probably that a script kiddies will leave far too many evidences behind and will be identified quickly. Also more skilled attackers do mistakes, Mandiant mentioned it in the APT1 report as it helped them to identify some of the actors.

On the other hand Stuxnet was quite hard to attribute, until the New York Times attribute it directly to the US.

The technical elements of cyber attribution

In 2010 Richard Bejtlich wrote a post about attribution and 20 characteristics attribution. This post gives a framework that help characterise an attack. Obviously an attribution can not be based only on a single element. As for war, cyber war can not be judge on a single element. Those elements have to be put together, compare together, compare against a large number of attacks in order to make sense and to be valuable. My point being that doing attribution in an isolated manner would definitely be a risky business. Most probably government or major security firm are the best positioned to do it due to their ability to use a similar framework across a significant number of attacks.

Progress in forensics technic might lead people to believe that attribution can actually be solved. Like Jeffrey Carr, I do believe that it is much more difficult and complicated than that. Jeffrey did publish a great paper recently about the topic and in particular about 4 key challenges.

As I said above, it is difficult to trust technical evidence in the cyber world. To support that point, you can refer to the Tallinn Manual. There is a few interesting rules:

Rule 7: The mere fact that a cyber operation has been launched or otherwise originates from governmental cyber infrastructure is not sufficient evidence for attributing the operation to that State but is an indication that the State in question is associated with the operation.

Rule 8: The fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State.

This lead to the question of responsibility. If an attack can not be trace to its source with accuracy, there might be a way to identify who is responsible for it.